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RISK MANAGEMENT PHILOSOPHY 


Cederberg Municipality is committed to the optimal management of risk in order to protect 
our core public service values, achieve our vision, objectives and deliver on our core 
business. 

In the course of conducting our day-to-day business operations, we are exposed to a variety 
of risks. These risks include operational and other risks that are material and require 
comprehensive controls and on-going oversight. 

To ensure business success we have adopted an enterprise-wide integrated approach to the 
management of risks. By embedding the risk management process into key business 
processes such as planning, operations and new projects, we will be better equipped to 
identify events affecting our objectives and to manage risks in ways that are consistent with 
the approved risk appetite. 

To further implement this approach, all roles players involved in the risk management 
process were identified and their responsibilities clearly documented to enforce a culture of 
disciplined risk-taking. 

Council is responsible for the overall governance of risk within the municipality. Council has 
however delegated this responsibility to the Municipal Manager (MM) and the risk 
management oversight committee. The MM, who is ultimately responsible for the 
municipality’s risks, has delegated this role to the Chief Risk Officer (CRO) and 
Management. The CRO will ensure that the framework is implemented and that council, the 
RMC, the Audit Committee and the MM receive appropriate reporting on the municipality’s 
risk profile and risk management process. Management will execute their responsibilities 
outlined in the Risk Management Strategy and Implementation Plan. All other officials are 
responsible for incorporating risk management into their day-to-day operations. 

As the MM of the municipality, council and I are responsible for enhancing corporate 
governance. Entrenching Enterprise Risk Management (ERM) into the municipality is only 
but one component of governance, but together we will ensure that appropriate focus is 
placed on important tasks and key risks. 

SIGNATURE OF ACTING MUNICIPAL MANAGER: 


PL VOLSCHENK 
DATE: 
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1. OVERVIEW 


1.1. Policy Objective 

The objective of this policy is to safeguard Cederberg Municipality’s assets, interests and its 
people. 

1.2. Policy Statement 

Through this policy, the MM puts into practice his commitment to implement and maintain an 
effective, efficient and transparent system of risk management. This policy forms the basis 
for the accompanying Risk Management Strategy and Implementation Plan which is 
designed to help achieve the objective of implementing an effective ERM process and 
embedding a culture of risk management within the municipality. 

1.3. Policy Scope 

This is an enterprise-wide policy which applies throughout Cederberg Municipality in as far 
as risk management is concerned. All personnel within the municipality have a role to play in 
the identification and management of risk. 

1.4. Background 

1.4.1. Legislative Mandate 

Section 62(1 )(c)(i) and 95(c)(i) of the MFMA states that: The accounting officer of the 

municipality and municipal entity is responsible for managing the financial administration of 
the municipality, and must for this purpose take all reasonable steps to ensure that the 
municipality has and maintains effective, efficient and transparent systems of financial and 
risk management and internal control.” 

1.4.2. Legislative Compliance 

This policy is aligned to the principles set out in the National Treasury Public Sector Risk 
Management Framework, published on 1 April 2010 and to some extent King IV. This policy 
is also supported by the MFMA, Act no. 56 of 2003. 

1.4.3. Objectives of Enterprise Risk Management 

The objective of risk management is to assist management in making more informed 
decisions which: 
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• provide a level of assurance that current significant risks are effectively managed; 

• improve operational performance by assisting and improving decision making and 
planning; 

• promote a more innovative, less risk averse culture in which the taking of calculated 
risks in pursuit of opportunities, to benefit the municipality is encouraged; and 

• provide a sound basis for integrated risk management and internal control as 
components of good corporate governance. 

1.4.4. Benefits of Enterprise Risk Management 

The risk management process can make major contributions towards helping the 

municipality achieve its objectives. Those benefits include; 

• more sustainable and reliable delivery of services; 

• enhance decision making underpinned by appropriate rigour analysis; 

• reduced waste; 

• prevention of fraud and corruption; 

• fewer surprises and crises by placing management in a position to effectively deal 
with potential new and emerging risks that may create uncertainty; 

• help avoid damage to the municipality’s reputation and image; 

• helps ensure effective reporting and compliance with laws and regulations; 

• better value for money through more effective, efficient and economical use of scarce 
resources; and 

• better outputs and outcomes through improved project and programme management. 

1.5. Key Concepts 

1.5.1. Risk is an uncertain future event that could influence the achievement of the 
municipality’s strategic and business objectives. 

1.5.2. Risk Management is a systematic and formalised process instituted by the 
municipality to identify, assess, manage, monitor and report risks to ensure the 
achievement of objectives. 

1.5.3. Enterprise Risk Management (ERM) is the application of risk management 
throughout the municipality rather than only in selected business areas or disciplines 
and needs to be managed in a comprehensive and integrated way. ERM recognises 
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that risks (including opportunities) are dynamic, often highly interdependent and ought not to 
be considered and managed in isolation. 

2. ROLES AND RESPONSIBILITIES 

The roles and responsibilities of the role players in the risk management process are as 
follows: 

2.1. Risk Management Oversight 

2.1.1. Council 

Council is responsible for the governance of risk. Council takes an interest in risk 
management to the extent necessary to obtain comfort that properly established and 
functioning systems of risk management are in place to protect Cederberg Municipality 
against significant risks. 

Council has to report to the community, on the municipality’s system of internal control. This 
provides comfort that the municipality is protected against significant risks to ensure the 
achievement of objectives as detailed in the Service Delivery and Budget Implementation 
Plan (SDBIP). 


2.1.2. Audit Committee (AC) 

The AC is an independent committee, responsible to oversee the municipality’s control, 
governance and risk management. This committee is vital to, among other things, ensure 
that financial, IT and fraud risk related to financial reporting are identified and managed. 

The ACs primary responsibility is providing an independent and objective view of the 
effectiveness of the municipality's risk management process to council and to provide 
recommendations to the MM for continuous improvement and management of risks. The 
responsibilities of the AC with regard to risk management are formally defined in its charter. 

2.1.3. Risk Management Committee (RMC) 

The committee’s role is to review the risk management progress and maturity of the 
municipality, the effectiveness of risk management activities, the key risks facing the 
municipality and the responses to address these key risks. 
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2,2. Risk Management Implementers 


2.2.1. Municipal Manager 

The MM is ultimately responsible for risk management within the municipality. This includes 
ensuring that the responsibility for risk management vests at all levels of management. The 
MM sets the tone at the top by promoting accountability, integrity and other factors that will 
create a positive control environment. 

2.2.2. Management 

All other levels of management, support the municipality’s risk management philosophy, 
promote compliance with the risk appetite and manage risks within their areas of 
responsibility. 

Management takes ownership for managing the municipality’s risks within their areas of 
responsibility and is accountable to the MM for designing, implementing, monitoring and 
integrating ERM into their day-to-day activities of the municipality. This should be done in a 
manner that ensures that risk management becomes a valuable strategic management tool. 


2.2.3. Other Officials 

Other officials are responsible for integrating risk management into their day-to-day activities 
i.e. by ensuring conformance with controls and compliance to procedures. 

2.3. Risk Management Support 

2.3.1. Chief Risk Officer 

The CRO is the custodian of the Risk Management Strategy and Implementation Plan and 
the coordinator of ERM activities throughout Cederberg Municipality. The primary 
responsibility of the CRO is to use his / her specialist expertise to assist the municipality to 
embed ERM and leverage its benefits to enhance performance. The CRO plays a vital 
communication link between senior management, operational level management, the RMC 
and other relevant committees. 
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2.3.2. Risk Champions 


A Risk Champion would generally hold a senior position within the municipality and possess 
the skills, knowledge and leadership qualities required to champion a particular aspect of risk 
management. 

The Risk Champion assist the CRO facilitate the risk assessment process and manage risks 
within their area of responsibility to be within the risk appetite. Their primary responsibilities 
are advising on, formulating, overseeing and managing all aspects of a municipality's entire 
risk profile, ensuring that major risks are identified and reported upwards. 

2.4. Risk Management Assurance Providers 

2.4.1. Internal Audit 

The core role of Internal Audit in risk management is to provide an independent, objective 
assurance to council and the Audit Committee on the effectiveness of risk management. 
Internal Audit also assists in bringing about a systematic, disciplined approach to evaluate 
and improve the effectiveness of the entire system of risk management and provide 
recommendations for improvement where necessary. 

2.4.2. External Audit 

External Audit (Auditor-General) provides and independent opinion on the effectiveness of 
ERM. 

3. ENTERPRISE RISK MANAGEMENT PROCESS 

To fulfil its philosophy and implement an enterprise-wide integrated approach, Cederberg 
Municipality will ensure that the eight (8) components of the ERM process are implemented 
and operating effectively, efficiently and economically (Refer to figure 1). These 
components of the ERM process are discussed in further detail in the Risk Management 
Strategy and implementation plan. 
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Figure 1: Enterprise Risk Management Process 

3.1. Internal Environment 

The municipality’s internal environment is the foundation of all other components of risk 
management. The internal environment encompasses the tone of Cederberg Municipality, 
influencing the risk consciousness of its people. It is the foundation for all other components 
of risk management, providing discipline and structure. 

3.2. Objective Setting 

Objective setting is a precondition to event identification, risk assessment, and risk response. 
There must first be objectives before management can identify risks to their achievement 
and take necessary actions to manage the risks. 

3.3. Event Identification 

An event is an incident or occurrence emanating from internal or external sources that could 
affect implementation of strategy or achievement of objectives. Events may have positive or 
negative impacts, or both. As part of event identification, management recognises that 
uncertainties exist, but does not know when an event may occur, or its outcome should it 
occur. To avoid overlooking relevant events, identification is best made apart from the 
assessment of the likelihood of the event occurring, which is the topic of risk assessment. 

3.4. Risk Assessment 

Risk assessments allow the municipality to consider the extent to which potential events 
might have an impact on the achievement of objectives. Management assess events from 
two perspectives impact and likelihood to determine their risk score or severity rating and 
normally uses the quantitative method. 
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Risk Assessments are performed through a three stage process: 

• Firstly, inherent risk should be assessed; 

• Secondly, residual risk should be assessed; 

• Thirdly, the residual risk should be benchmarked against the risk appetite to 
determine the need for further intervention. 

3.4.1, Risk Appetite 

Risk appetite looks at how much risk a municipality is willing to accept. The aim is to manage 
risks by taking action to keep exposure to an acceptable level in a cost-effective way. There 
can still be deviations that are within a risk appetite as every control has an associated cost. 
The control action must offer value for money in relation to the risk that it is controlling. 
Although the risk is within the risk appetite, management can still implement more controls to 
bring the level down (to the left of the blue line) if it is cost effective. 

Cederberg Municipality has set its risk appetite level at Impact X Likelihood = 9 (3x3) (Refer 
to figure 2). 

The municipality has committed itself to aggressively pursue managing risks to be within its 
risk appetite to avoid exposures to losses and to manage actions that could have a negative 
impact on the reputation of the municipality. 

EXAMPLE: 
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Risk appetite level 
3x3 = 9 


3,5. Risk Response 

After assessing the risk scores an appropriate mitigation strategy is selected. These 

responses may fall within the categories of avoid, reduce, share and accept. (Refer to figure 

3). 

Risk responses fall within the following four categories: 

• Avoid - Action is taken to exit the activities giving rise to risk. Risk avoidance may 
involve exiting a product line, declining expansion to a new geographical market, or 
selling a division. 

• Reduce - Action is taken to reduce the risk likelihood or impact, or both. This may 
involve any of a myriad of everyday business decisions. 

• Share - Action is taken to reduce risk likelihood or impact by transferring or otherwise 
sharing a portion of the risk. Common risk sharing techniques include purchasing 
insurance products, pooling risks, engaging in hedging transactions, or outsourcing an 
activity. 

• Accept - No action is taken to affect likelihood or impact. 



Medium Risk 

High Risk 

Share (Insurance) 

Avoid & Reduce (Control) 

Low Risk 

Medium Risk 

Accept (Risk Appetite) 

Reduce (Controls) & Monitor 


LIKELIHOOD / PROBABILITY 


Figure 3: Risk Response Strategy 
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3.6. Control Activities 


Control activities are the policies and procedures that help ensure that management’s risk 
responses are carried out. Control activities occur throughout the municipality, at all levels 
and in all functions. They include a range of activities as diverse as approvals, 
authorisations, verifications, reconciliations, reviews of operating performance, security of 
assets and segregation of duties. 

Types of Control Activities 

Many different descriptions of types of control activities have been put forth. Internal Controls 
can be preventative, detective or corrective by nature. 

• Preventative Controls are designed to keep errors or irregularities from occurring in the 
first place. 

• Detective Controls are designed to detect errors or irregularities that may have occurred. 

• Corrective Controls are designed to correct errors or irregularities that have been 
detected. 

3.7. Information and Communication 

Pertinent information is identified, captured and communicated in a form and timeframe that 
enable people to carry out their responsibilities. Effective communication also occurs, flowing 
down, across and up in the municipality. All personnel receive a clear message from top 
management that risk management responsibilities must be taken seriously. They 
understand their own role in risk management, as well as how individual activities relate to 
the work of others. They must have a means of communicating significant information 
upstream. There is also effective communication with external parties. 

3.8. Monitoring 

Monitoring risk management is a process that assesses the presence and functioning of its 
components over time. This is accomplished through on-going monitoring activities, separate 
evaluations or a combination of the two. On-going monitoring occurs in the normal course of 
management activities. The scope and frequency of separate evaluations will depend 
primarily on an assessment of risks and the effectiveness of on-going monitoring procedures. 


Page 13 of 15 




4. POLICY REVIEW 


The content of the ERM policy will be reviewed annually to reflect the current stance on risk 
management within the Cederberg Municipality. 

5. GLOSSARY OF TERMS 

Accounting Officer refers to the Municipal Manager. 

Chief risk officer refers to the Officer deligated with risk management 

Event means an incident or occurrence from internal or external sources that affects the 
achievement of the municipality’s objectives. 

Framework refers to the National Treasury Public Sector Risk Management Framework, 1 
April 2010. 

impact means a result or effect of and event. The impact of an event can be positive or 
negative. A negative event is termed a “risk”. 

Inherent refers to the impact that the risk will have on the achievement of objectives if the 
current controls in place are not considered. 

Key risks - Risks that are rated high on an inherent level. It is risks that possess a serious 
threat to the municipality. 

Likelihood / Probability means the probability of the event occurring. 

Management refer to all levels of management, other than the MM and the CRO. 

Mitigation / Treatment - After comparing the risk score (severity rating = impact X 
likelihood) with the risk tolerance, risks with unacceptable levels of risk will require treatment 
plans (additional action to be taken by management) 

Operations are a term used with “objectives”, having to do with the effectiveness and 
efficiency of the municipality’s activities, including performance and safeguarding resources 
against loss. 

Residual means the remaining exposure after the controls/treatments has been taken into 
consideration. (The remaining risk after management has put in place measures to control 
the inherent risk). 
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Risk Appetite means the amount (level) of risk the municipality is willing to accept. 

Risk Owner means the person responsible for managing a particular risk. 

Risk Management Strategy includes the detailed risk management implementation plan, 
fraud prevention policy and fraud prevention strategy and implementation plan. 

Risk Profile / Register - Also known as the risk register. The risk profile will outline the 
number of risks, type of risk and potential effects of the risk. This outline will allow the 
municipality to anticipate additional costs or disruptions to operations. Also describes the 
willingness of a company to take risks and how those risks will affect the operational strategy 
of the municipality. 

Risk Tolerance means the acceptable level of risk that the municipality has the ability to 
tolerate. 

Strategic is a term used with “objectives”, it has to do with high-level goals that are aligned 
with and support the municipality’s mission or vision. 


6. APPROVAL 

Recommended by the Risk Management Committee: 

Signature: _ 

Name in Print: _ 

Date: _ 

Position: Chairperson 


Approved by the Municipal Manager: 

Signature: _ 

Name in Print: _ 

Date: _ 

Position: Acting Municipal Manager 


Page 15 of 15 



